feat: Restrict access on terminal for all non Super Admin Users

api/k8s/application/k8sApplicationRestHandler.go

@@ -89,9 +89,10 @@ type K8sApplicationRestHandlerImpl struct {
 	helmAppService         client.HelmAppService
 	userService            user.UserService
 	k8sCommonService       k8s.K8sCommonService
+	terminalEnvVariables   *util.TerminalEnvVariables
 }
 
-func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate) *K8sApplicationRestHandlerImpl {
+func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationService application2.K8sApplicationService, pump connector.Pump, terminalSessionHandler terminal.TerminalSessionHandler, enforcer casbin.Enforcer, enforcerUtilHelm rbac.EnforcerUtilHelm, enforcerUtil rbac.EnforcerUtil, helmAppService client.HelmAppService, userService user.UserService, k8sCommonService k8s.K8sCommonService, validator *validator.Validate, envVariables *util.EnvironmentVariables) *K8sApplicationRestHandlerImpl {
 	return &K8sApplicationRestHandlerImpl{
 		logger:                 logger,
 		k8sApplicationService:  k8sApplicationService,
@@ -104,6 +105,7 @@ func NewK8sApplicationRestHandlerImpl(logger *zap.SugaredLogger, k8sApplicationS
 		helmAppService:         helmAppService,
 		userService:            userService,
 		k8sCommonService:       k8sCommonService,
+		terminalEnvVariables:   envVariables.TerminalEnvVariables,
 	}
 }
 
@@ -820,6 +822,17 @@ func (handler *K8sApplicationRestHandlerImpl) requestValidationAndRBAC(w http.Re
 	}
 }
 
+func (handler *K8sApplicationRestHandlerImpl) restrictTerminalAccessForNonSuperUsers(w http.ResponseWriter, token string) bool {
+	// if RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER is set to true, only super admins can access terminal/ephemeral containers
+	if handler.terminalEnvVariables.RestrictTerminalAccessForNonSuperUser {
+		if isSuperAdmin := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); !isSuperAdmin {
+			common.WriteJsonResp(w, errors.New("unauthorized, only super-admins can access terminal"), nil, http.StatusForbidden)
+			return true
+		}
+	}
+	return false
+}
+
 func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
@@ -836,6 +849,11 @@ func (handler *K8sApplicationRestHandlerImpl) GetTerminalSession(w http.Response
 		return
 	}
 	request.ExternalArgoApplicationName = vars.Get("externalArgoApplicationName")
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	if resourceRequestBean.AppIdentifier != nil {
 		// RBAC enforcer applying For Helm App
 		rbacObject, rbacObject2 := handler.enforcerUtilHelm.GetHelmObjectByClusterIdNamespaceAndAppName(resourceRequestBean.AppIdentifier.ClusterId, resourceRequestBean.AppIdentifier.Namespace, resourceRequestBean.AppIdentifier.ReleaseName)
@@ -1013,6 +1031,7 @@ func (handler *K8sApplicationRestHandlerImpl) verifyRbacForCluster(token string,
 }
 
 func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -1034,6 +1053,11 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	//rbac applied in below function
 	resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r)
 	if resourceRequestBean == nil {
@@ -1057,6 +1081,7 @@ func (handler *K8sApplicationRestHandlerImpl) CreateEphemeralContainer(w http.Re
 }
 
 func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.ResponseWriter, r *http.Request) {
+	token := r.Header.Get("token")
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -1078,6 +1103,11 @@ func (handler *K8sApplicationRestHandlerImpl) DeleteEphemeralContainer(w http.Re
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
+	// check for super admin
+	restricted := handler.restrictTerminalAccessForNonSuperUsers(w, token)
+	if restricted {
+		return
+	}
 	//rbac applied in below function
 	resourceRequestBean := handler.handleEphemeralRBAC(request.PodName, request.Namespace, w, r)
 	if resourceRequestBean == nil {

env_gen.md

@@ -201,6 +201,7 @@
  | REQ_CI_MEM | 3G |  | 
  | RESOURCE_LIST_FOR_REPLICAS | Deployment,Rollout,StatefulSet,ReplicaSet |  | 
  | RESOURCE_LIST_FOR_REPLICAS_BATCH_SIZE | 5 |  | 
+ | RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER | false |  | 
  | REVISION_HISTORY_LIMIT_DEVTRON_APP | 1 |  | 
  | REVISION_HISTORY_LIMIT_EXTERNAL_HELM_APP | 0 |  | 
  | REVISION_HISTORY_LIMIT_HELM_APP | 1 |  | 

util/GlobalConfig.go

@@ -24,6 +24,7 @@ type EnvironmentVariables struct {
 	GlobalEnvVariables          *GlobalEnvVariables
 	DevtronSecretConfig         *DevtronSecretConfig
 	DeploymentServiceTypeConfig *DeploymentServiceTypeConfig
+	TerminalEnvVariables        *TerminalEnvVariables
 }
 
 type DeploymentServiceTypeConfig struct {
@@ -43,11 +44,16 @@ type DevtronSecretConfig struct {
 	DevtronDexSecretNamespace string `env:"DEVTRON_DEX_SECRET_NAMESPACE" envDefault:"devtroncd"`
 }
 
+type TerminalEnvVariables struct {
+	RestrictTerminalAccessForNonSuperUser bool `env:"RESTRICT_TERMINAL_ACCESS_FOR_NON_SUPER_USER" envDefault:"false"`
+}
+
 func GetEnvironmentVariables() (*EnvironmentVariables, error) {
 	cfg := &EnvironmentVariables{
 		GlobalEnvVariables:          &GlobalEnvVariables{},
 		DevtronSecretConfig:         &DevtronSecretConfig{},
 		DeploymentServiceTypeConfig: &DeploymentServiceTypeConfig{},
+		TerminalEnvVariables:        &TerminalEnvVariables{},
 	}
 	err := env.Parse(cfg)
 	if err != nil {